| Author |
Topic |
|
clarkbaker1964
Constraint Violating Yak Guru
428 Posts |
 Posted - 2004-12-16 : 20:17:00
|
Does the DBA need NT Admin rights?Or should this be sole ownership of Network team domain administrators? |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-12-16 : 20:20:11
|
| Well, you put this in the DBA forum, so we're going to say YES! I believe we can get away without it, but I've always demanded it and have always got my way. Besides, xp_cmdshell gives us local admin anyway, so it'd be pointless for them not to do it since we can do everything from xp_cmdshell. It may just be a little harder to get around with xp_cmdshell than with the GUI tools.Tara |
 |
|
|
clarkbaker1964
Constraint Violating Yak Guru
428 Posts |
Posted - 2004-12-16 : 20:39:18
|
| Actually this is a pointed issue as they are removing cmd.exe rights to execute on all machines.I have made cases for this but they are far and few between.The Head of Networks wants to remove this access and given the implementations of the previous "DBA's" I would have been the first one in line to fire the guy. But now I am in a corner with trust as I am new to the organization, as we know trust is earned over time but now I'm in a corner. |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2004-12-16 : 21:42:20
|
| >> Does the DBA need NT Admin rights?Not necessarily - but if there's a big problem it will help.You will have to be able to view backups and monitor disk space depending on what the company thinks a dba is.A non-production dba - i.e. someone who advises what to do and what not to do and trains people to do it and looks more after the development (the job I prefer) doesn't need it. In fact only really needs read access.A production dba will be more closely aligned to the infrastructure people and I would expect them to have admin rights.A lot of companies lock down the production system but leave xp_cmdshell available on the dev system with domain admin rights so that might be worth checking.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
clarkbaker1964
Constraint Violating Yak Guru
428 Posts |
Posted - 2004-12-16 : 23:54:22
|
| Well the department that hired me is a part of software development... However no one in the infastruture team has any expertise in this area. I am currently an administrator on 9 of the SQL Servers... Their are 22 others that are being supported by network admins that have asked me how to use the backup wizard. My outstanding question to the CIO is how he sees my role within the organization. Basicly the Network Team lost the fight in getting the DBA postion as a direct report to the Head of Network instead I am reporting to his pier the Head of Software development. Personnally I don't care as I have had other assignments that have fallen into both sides of the fence.I am just concerned that I may concede on something I may need later in a high stress situation.Opinions invited... View points from developers are appreciated as well, as I will need to build buy in and trust from both. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2004-12-17 : 00:14:52
|
| I can tell you at my current job, I'm the DBA. I also do some development. But I have admin rights not only on the database servers but also the web servers and some others as well. Sometimes I do application builds too. I never insisted I needed the rights though, and I refuse to get domain admin because I truthfully do not want the responsibility. The most I ever said was "well, I could take care of that if I had the rights"...in other words, doing the network guys a favor. Our developers are always bitching about not having enough permissions to do things and they get nowhere. I've found very often that network admins are only dicks to people who act like dicks. Once they find out that you're competent at your job and don't want to do anything to get in their way, they usually will help you out. And if you act and behave as if the power struggle/politics/org chart don't mean that much to you then you start to get a reputation as one who rises above all the petty bullshit and gets things done. |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2004-12-17 : 04:24:39
|
| you must know atleast the password to the service account (domain account which has local admin privileges on the sql servers). Sql server sends some weird errors and resolving an issue the quickest possible time is the goal. in my experience, errors are usually 'odbc errors', 'general network failure', 'timeout expired'You should have atleast that degree of freedom when it comes to the servers.if they provide other admin accounts aside from sql, better for you but i guess you won't be needing them anyways.--------------------keeping it simple... |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-12-17 : 12:16:20
|
| Jen,Those errors that you mentioned...how does knowing the service account's password help you resolve them?Tara |
|
|
|
clarkbaker1964
Constraint Violating Yak Guru
428 Posts |
Posted - 2004-12-17 : 13:30:46
|
| Excellent feedback... to Jen's point I did have a backup job that failed and upon investigation it turned out that the security rights for the folders had changed, Not supprising though I have been targeting improperly shared folders with rights to everyone.Anyway I had to use my NT account to get the service running due to the service running under the previous "DBA" had set the service to run under his credentials, which disapeared when they disabled his NT account.It would have been easier to assign the service to the proper account however I did not know the password, and the local service account would not start the services HMMM that's still a mistery! |
|
|
|
clarkbaker1964
Constraint Violating Yak Guru
428 Posts |
Posted - 2004-12-17 : 18:46:12
|
| Ok here is what I have been thinking about...Database administrator need administrator rights for all Servers running SQL Server until security policies can be established to enable DBA to perform all necessary tasks related to SQL on the server. Do needs analysis on how to remove Administrator Rights while retaining the rights needed to manage the server. Some of these may require working directly with the network team.• Start & Stop Services• Assign Services to run under specific accounts, and manage the permissions of the Service Accounts.• Command Line Execution - this would encompass the ability to run osql commands required to repair/rebuild corrupted system databases required to run sql server.• Terminal Service into the server to validate and modify program installation setting that are stored in “ini” files and the registry. • Install additional instances of SQL Server. • Diagnose installed programs that interface with SQL Server such as: 1. Visual Source Safe, 2. Outlook client, 3. Baseline Security Analyzer, 4. SQL Debugging, 5. Visual Studio & .NET Framework, 6. DTS packages, 7. Compression programs such as PKZIP.8. SQL Server Reporting Services (Requires IIS, Visual Studio and .NET Framework)9. If IIS is required - Ability to manage this service.• Analysis of rights related to Services running on the machine that may be impacted by security policies implemented on the machine.• Ability to read NT Logs and Anti virus logs review if running on server.• Ability to view the Task Manager and/or run trace to determine what programs are consuming resources and/or causing SQL server issuesDo you think this needs analysis is a FAIR assessment of what we deal with on a daily basis? |
|
|
|
|
Does the DBA need NT Admin rights?